GHSA-36fq-jgmw-4r9c

Source

https://github.com/advisories/GHSA-36fq-jgmw-4r9c

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-36fq-jgmw-4r9c/GHSA-36fq-jgmw-4r9c.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-36fq-jgmw-4r9c

Aliases

CVE-2025-9906

Published

2025-09-19T09:31:14Z

Modified

2025-09-23T22:16:41.226671Z

Severity

7.3 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Keras is vulnerable to Deserialization of Untrusted Data

Details

Arbitrary Code Execution in Keras

Keras versions prior to 3.11.0 allow for arbitrary code execution when loading a crafted .keras model archive, even when safe_mode=True.

The issue arises because the archive’s config.json is parsed before layer deserialization. This can invoke keras.config.enable_unsafe_deserialization(), effectively disabling safe mode from within the loading process itself. An attacker can place this call first in the archive and then include a Lambda layer whose function is deserialized from a pickle, leading to the execution of attacker-controlled Python code as soon as a victim loads the model file.

Exploitation requires a user to open an untrusted model; no additional privileges are needed. The fix in version 3.11.0 enforces safe-mode semantics before reading any user-controlled configuration and prevents the toggling of unsafe deserialization via the config file.

Affected versions: < 3.11.0 Patched version: 3.11.0

It is recommended to upgrade to version 3.11.0 or later and to avoid opening untrusted model files.

Database specific

{
    "github_reviewed_at": "2025-09-19T17:16:44Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-502"
    ],
    "nvd_published_at": "2025-09-19T09:15:36Z",
    "github_reviewed": true
}

References

Affected packages

PyPI / keras

Package

Name: keras; View open source insights on deps.dev
Purl: pkg:pypi/keras

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.11.0

Affected versions

0.*

0.2.0

0.3.0

0.3.1

0.3.2

0.3.3

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.1.0

1.1.1

1.1.2

1.2.0

1.2.1

1.2.2

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.3.0

2.3.1

2.4.0

2.4.1

2.4.2

2.4.3

2.5.0rc0

2.6.0rc0

2.6.0rc1

2.6.0rc2

2.6.0rc3

2.6.0

2.7.0rc0

2.7.0rc2

2.7.0

2.8.0rc0

2.8.0rc1

2.8.0

2.9.0rc0

2.9.0rc1

2.9.0rc2

2.9.0

2.10.0rc0

2.10.0rc1

2.10.0

2.11.0rc0

2.11.0rc1

2.11.0rc2

2.11.0rc3

2.11.0

2.12.0rc0

2.12.0rc1

2.12.0

2.13.1rc0

2.13.1rc1

2.13.1

2.14.0rc0

2.14.0

2.15.0rc0

2.15.0rc1

2.15.0

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.1.0

3.1.1

3.2.0

3.2.1

3.3.0

3.3.1

3.3.2

3.3.3

3.4.0

3.4.1

3.5.0

3.6.0

3.7.0

3.8.0

3.9.0

3.9.1

3.9.2

3.10.0